From 3340cc1ade2ebd02a83159facc0aece2fbe847b7 Mon Sep 17 00:00:00 2001 From: d1vious Date: Mon, 7 Feb 2022 15:32:17 -0500 Subject: [PATCH] removing duplicate detection --- ...f_lolbas_executed_in_short_time_window.yml | 69 ------------------- 1 file changed, 69 deletions(-) delete mode 100644 detections/endpoint/ssa___unusual_number_of_lolbas_executed_in_short_time_window.yml diff --git a/detections/endpoint/ssa___unusual_number_of_lolbas_executed_in_short_time_window.yml b/detections/endpoint/ssa___unusual_number_of_lolbas_executed_in_short_time_window.yml deleted file mode 100644 index a8875ed776..0000000000 --- a/detections/endpoint/ssa___unusual_number_of_lolbas_executed_in_short_time_window.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Unusual number of LOLBAS executed in short time window -id: 59c0dd70-169c-4900-9a1f-bfcf13302f93 -version: 3 -date: '2021-11-30' -author: Ignacio Bermudez Corrales, Splunk -type: Anomaly -datamodel: [] -description: Living Off The Land Binaries, Scripts, and Libraries (LOLBAS) are native system tools that threat actors leverage to run discovery on a system, move laterally, or increase their privileges. - Common threat actor behavior is to run scripts that execute many of these tools together in a short time window to accomplish their objectives. - This detection looks for a high distinct count (outlier > 99% distribution) of these executables launched in a window of 300 seconds on a single device. - It is not uncommon for an administrator to use these tools for system management, it is unusual to see many of them leverage in short time windows unless done by a script. -search: '| from read_ssa_enriched_events() - | eval device=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), "string", null)), username=ucast(map_get(input_event, "dest_user_primary_artifact"), "string", null) - | where process_name=="regsvcs.exe" OR process_name=="ftp.exe" OR process_name=="dfsvc.exe" OR process_name=="rasautou.exe" OR process_name=="schtasks.exe" OR process_name=="xwizard.exe" OR process_name=="findstr.exe" OR process_name=="esentutl.exe" - OR process_name=="cscript.exe" OR process_name=="reg.exe" OR process_name=="csc.exe" OR process_name=="atbroker.exe" OR process_name=="print.exe" OR process_name=="pcwrun.exe" OR process_name=="vbc.exe" OR process_name=="rpcping.exe" OR process_name=="wsreset.exe" OR process_name=="ilasm.exe" OR process_name=="certutil.exe" OR process_name=="replace.exe" - OR process_name=="mshta.exe" OR process_name=="bitsadmin.exe" OR process_name=="wscript.exe" OR process_name=="ieexec.exe" OR process_name=="cmd.exe" OR process_name=="microsoft.workflow.compiler.exe" OR process_name=="runscripthelper.exe" OR process_name=="makecab.exe" OR process_name=="forfiles.exe" OR process_name=="desktopimgdownldr.exe" OR process_name=="control.exe" OR process_name=="msbuild.exe" OR process_name=="register-cimprovider.exe" OR process_name=="tttracer.exe" OR process_name=="ie4uinit.exe" OR process_name=="sc.exe" OR process_name=="bash.exe" OR process_name=="hh.exe" OR process_name=="cmstp.exe" OR process_name=="mmc.exe" OR process_name=="jsc.exe" OR process_name=="scriptrunner.exe" OR process_name=="odbcconf.exe" OR process_name=="extexport.exe" - OR process_name=="msdt.exe" OR process_name=="diskshadow.exe" OR process_name=="extrac32.exe" OR process_name=="eventvwr.exe" OR process_name=="mavinject.exe" OR process_name=="regasm.exe" OR process_name=="gpscript.exe" OR process_name=="rundll32.exe" OR process_name=="regsvr32.exe" OR process_name=="regedit.exe" OR process_name=="msiexec.exe" OR process_name=="gfxdownloadwrapper.exe" - OR process_name=="presentationhost.exe" OR process_name=="regini.exe" OR process_name=="wmic.exe" OR process_name=="runonce.exe" OR process_name=="syncappvpublishingserver.exe" OR process_name=="verclsid.exe" OR process_name=="psr.exe" OR process_name=="infdefaultinstall.exe" OR process_name=="explorer.exe" OR process_name=="expand.exe" OR process_name=="installutil.exe" - OR process_name=="netsh.exe" OR process_name=="wab.exe" OR process_name=="dnscmd.exe" OR process_name=="at.exe" OR process_name=="pcalua.exe" OR process_name=="cmdkey.exe" OR process_name=="msconfig.exe" - | stats estdc(process_name) as lolbas_counter by device, process_name, username, span(timestamp, 300s) - | eval lolbas_counter=lolbas_counter*1.0 - | rename window_end as timestamp - | adaptive_threshold algorithm="quantile" value="lolbas_counter" entity="device" window=2419200000L - | where label AND quantile>0.99 - | eval start_time = window_start, end_time = timestamp, entities = mvappend(device), body=create_map(["lolbas_counter", lolbas_counter, "quantile", quantile, "device", device, "process_name", process_name, "user", username]) - | into write_ssa_detected_events();' -how_to_implement: Collect endpoint data such as sysmon or 4688 events. -known_false_positives: 'Some administrative tasks may involve multiple use of LOLBAS - applications, usually when this detection triggers as a false positive, it tends to be due to a administrative script leveraging these tools.' -references: -- https://github.com/LOLBAS-Project/LOLBAS/tree/master/yml/OSBinaries -tags: - analytic_story: - - Unusual Processes - cis20: - - CIS 8 - confidence: 50 - context: - - source:endpoint - - stage: Defense Evasion - impact: 50 - kill_chain_phases: - - Exploitation - message: A system process $process_name$ with commandline $cmd_line$ spawn iin short - period of time in host $dest_device_id$ - mitre_attack_id: - - T1059 - - T1053 - nist: - - PR.PT - - DE.CM - observable: - - name: dest_device_id - type: Hostname - role: - - Victim - - name: process_name - type: Process Name - role: - - Others - product: - - Splunk Behavioral Analytics - required_fields: - - dest_device_id - - _time - - process_name - risk_score: 25 - risk_severity: low - security_domain: endpoint